Page 35 of 292 results (0.005 seconds)

CVSS: 3.8EPSS: 0%CPEs: 88EXPL: 1

CVE-2012-4422 – WordPress Core < 3.4.2 - Missing Authorization Checks

https://notcve.org/view.php?id=CVE-2012-4422

wp-admin/plugins.php in WordPress before 3.4.2, when the multisite feature is enabled, does not check for network-administrator privileges before performing a network-wide activation of an installed plugin, which might allow remote authenticated users to make unintended plugin changes by leveraging the Administrator role. wp-admin/plugins.php en WordPress anterior a v3.4.2, cuando la característica multisitio está activada, no comprueba los privilegios de administrador de red antes de llevar a cabo la activación de red de un plugin instalado, lo cual podría permitir a usuarios remotos autenticados para realizar cambios no deseados del plugin mediante el aprovechamiento de la función de administrador. • http://codex.wordpress.org/Version_3.4.2 http://core.trac.wordpress.org/changeset?old_path=%2Ftags%2F3.4.1&old=21780&new_path=%2Ftags%2F3.4.2&new=21780#file42 http://openwall.com/lists/oss-security/2012/09/13/4 • CWE-264: Permissions, Privileges, and Access Controls CWE-862: Missing Authorization •

CVSS: 6.1EPSS: 1%CPEs: 55EXPL: 2

CVE-2011-4926 – Adminimize <= 1.7.21 - Cross-Site Scripting

https://notcve.org/view.php?id=CVE-2011-4926

Cross-site scripting (XSS) vulnerability in adminimize/adminimize_page.php in the Adminimize plugin before 1.7.22 for WordPress allows remote attackers to inject arbitrary web script or HTML via the page parameter. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS)en adminimize/adminimize_page.php en el plugin anterior a v1.7.22 para WordPress permite a atacantes remotos inyectar código web o HTML a través del parámetro page. • https://www.exploit-db.com/exploits/36325 http://plugins.trac.wordpress.org/changeset?reponame=&new=467338%40adminimize&old=466900%40adminimize#file5 http://wordpress.org/extend/plugins/adminimize/changelog http://www.openwall.com/lists/oss-security/2012/01/05/10 http://www.openwall.com/lists/oss-security/2012/01/10/9 http://www.osvdb.org/77472 http://www.securityfocus.com/archive/1/520591 http://www.securityfocus.com/archive/1/520591/100/0/threaded http://www.securityfocus • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.3EPSS: 0%CPEs: 55EXPL: 0

CVE-2011-5128 – Adminimize < 1.7.22 - Cross-Site Scripting

https://notcve.org/view.php?id=CVE-2011-5128

Multiple cross-site scripting (XSS) vulnerabilities in the Adminimize plugin before 1.7.22 for WordPress allow remote attackers to inject arbitrary web script or HTML via the page parameter to (1) inc-options/deinstall_options.php, (2) inc-options/theme_options.php, or (3) inc-options/im_export_options.php, or the (4) post or (5) post_ID parameters to adminimize.php, different vectors than CVE-2011-4926. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS)en el plugin anterior a v1.7.22 para WordPress permite a atacantes remotos inyectar script web o HTML a través del parámetro 'page' a (1) inc-options/deinstall_options.php, (2) inc-options/theme_options.php, o (3) inc-options/im_export_options.php, o el(4) post o (5) parámetro post_ID a adminimize.php, vectores diferentes que CVE-2011-4926. • http://plugins.trac.wordpress.org/changeset?reponame=&new=467338%40adminimize&old=466900%40adminimize#file5 http://wordpress.org/extend/plugins/adminimize/changelog • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 4

CVE-2012-3434 – Count Per Day <= 3.1.1 - Cross-Site Scripting

https://notcve.org/view.php?id=CVE-2012-3434

Multiple cross-site scripting (XSS) vulnerabilities in userperspan.php in the Count Per Day module before 3.2 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) page, (2) datemin, or (3) datemax parameter. Múltiples vulnerabilidades de ejecución de comandos en sitios cruzados (XSS) en userperspan.php en el módulo (Count Per Day) anterior a v3.2 para Wordpress permite a atacantes remotos inyectar código web o HTML arbitrario a través de (1) una página, (2) el parámetro (datemin) o (3) el parámetro (datemax). • http://plugins.trac.wordpress.org/changeset/571926/count-per-day http://secunia.com/advisories/49692 http://www.darksecurity.de/advisories/2012/SSCHADV2012-015.txt http://www.openwall.com/lists/oss-security/2012/07/24/4 http://www.openwall.com/lists/oss-security/2012/07/27/2 http://www.osvdb.org/83491 http://www.tomsdimension.de/wp-plugins/count-per-day • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 8.8EPSS: 0%CPEs: 85EXPL: 0

CVE-2012-3384 – WordPress Core < 3.4.1 - Cross-Site Request Forgery

https://notcve.org/view.php?id=CVE-2012-3384

Cross-site request forgery (CSRF) vulnerability in the customizer in WordPress before 3.4.1 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. Una vulnerabilidad de falsificación de peticiones en sitios cruzados(CSRF) en el personalizador de WordPress anterior a v3.4.1 permite a atacantes remotos secuestrar la autenticación de las víctimas no especificadas a través de vectores desconocidos. • http://codex.wordpress.org/Version_3.4.1 http://www.openwall.com/lists/oss-security/2012/07/02/1 http://www.openwall.com/lists/oss-security/2012/07/08/1 • CWE-352: Cross-Site Request Forgery (CSRF) •